The U.S. Federal Communications Commission wants to strengthen federal law enforcement and modernize breach notification requirements for telecommunications companies so that they notify customers of security breaches faster.
FCC’s proposals (first circulated in January 2022) include the elimination of the current mandatory period of seven days that telecoms have to abide by before alerting consumers of a data breach.
The Commission also wants telecommunications carriers to report all significant breaches to several federal agencies, including the FBI, Secret Service, and the FCC.
“We propose to eliminate the outdated seven business day mandatory waiting period before notifying customers, require the reporting of inadvertent but harmful data breaches, and ensure that the agency is notified of major data breaches,” FCC Chairwoman Jessica Rosenworcel said.
“The FCC also proposes clarifying its rules to require consumer notification by carriers of inadvertent breaches and requiring notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service,” the agency said in a separate press release.
The first rule requiring telecoms and interconnected VoIP providers to alert federal law enforcement agencies and their customers of data breaches was adopted by the Commission in 2007.
FCC data breach rules are 15 years old. An update is way overdue. It starts now. https://t.co/Lzul0Fkfja
— Jessica Rosenworcel (@JRosenworcel) January 6, 2023
The severity of recent telecom hacks shows that the FCC’s data breach rules need an update to be aligned with federal and state data breach laws covering other sectors.
For instance, in December, Comcast Xfinity customers reported that their accounts were hacked in widespread attacks bypassing two-factor authentication.
In October, Verizon notified prepaid customers that their accounts were breached and exposed credit card info was used in SIM swapping attacks.
T-Mobile was also hit by at least seven breaches since 2018, with the most recent one disclosed after Lapsus$ hackers breached the company’s internal systems and stole proprietary T-Mobile source code, according to reports.
Lastly, AT&T paid $25 million in April 2016 to settle an FCC investigation into three separate data breaches affecting hundreds of thousands of customers.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said.
“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”